Apple SSL Bug: Test Your Vulnerability, Fix Available Soon

Share this:

On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

The problem is the result of a coding error where an additional “goto fail” statement means that the SSL certificate is not authenticated. The result is applications running on iOS and OS X operating systems are vulnerable to man-in-the-middle (MITM) attacks. This is the case where the attacker can use his own unauthenticated certificate and pose as a legitimate website to intercept communications and trusted information; or inset malware.

The failure impacts all applications that use the SecureTransport function such as Safari, Mail, Twitter, Facetime and iMessage. Chrome nor Firefox are impacted as they use NSS for SSL/TLS.

The problem has been corrected with the release of iOS 6.1.6 and iOS 7.0.6; however, OS X 10.9.1 is still affected. Apple has confirmed that a fix for OS X will be released very soon.

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

IdentityOn Blog

Entrust has been at the forefront of the identity-based security market for nearly two decades. Our identity-based security solutions secure governments, enterprises, and financial institutions in more than 5,000 organizations spanning 85 countries.